ChapterÂ 11.Â Security

11.1.Â Why Security is So Important

Bugs are occasionally introduced to the software. Arguably,
the most dangerous of them are those opening security
vulnerabilities. From the technical viewpoint, such
vulnerabilities are to be closed by exterminating the bugs that
caused them. However, the policies for handling mere bugs and
security vulnerabilities are very different.

A typical small bug affects only those users who have
enabled some combination of options triggering the bug. The
developer will eventually release a patch followed by a new
version of the software, free of the bug, but the majority of
users will not take the trouble of upgrading immediately because
the bug has never vexed them. A critical bug that may cause
data loss represents a graver issue. Nevertheless, prudent
users know that a lot of possible accidents, besides software
bugs, are likely to lead to data loss, and so they make backups
of important data; in addition, a critical bug will be
discovered really soon.

A security vulnerability is all different. First, it may
remain unnoticed for years because often it does not cause
software malfunction. Second, a malicious party can use it to
gain unauthorized access to a vulnerable system, to destroy or
alter sensitive data; and in the worst case the user will not
even notice the harm caused. Third, exposing a vulnerable
system often assists attackers to break into other systems that
could not be compromised otherwise. Therefore closing a
vulnerability alone is not enough: notify the audience
of it in the most clear and comprehensive manner, which
will allow them to evaluate the danger and take appropriate
action.